CSS Advanced Configuration Guide (Software Version 7.20)
Configuring Adaptive Session Redundancy
Downloads: This chapterpdf (PDF - 328.0KB) The complete bookPDF (PDF - 4.07MB) | Feedback

Configuring Adaptive Session Redundancy

Table Of Contents

Configuring Adaptive Session Redundancy

Overview of CSS Redundancy

When to Use VIP and Virtual Interface Redundancy

When to Use ASR

When to Use Box-to-Box Redundancy

Configuring Adaptive Session Redundancy

Stateful Failover

Inter-Switch Communications

Redundant Indexes

Configuration Requirements and Restrictions

ASR Quick Start

Configuring Inter-Switch Communications

Configuring Redundant Services

Configuring Redundant Content Rules

Configuring Redundant Source Groups

Synchronizing ASR Configurations

Displaying ASR Information

Displaying Inter-Switch Communications Ports

Displaying Dormant Flow Information

Displaying ASR Information for Content Rules, Services, and Source Groups

Displaying ASR Status and Global Index Values

Displaying Summary ASR Information


Configuring Adaptive Session Redundancy


This chapter describes how to configure Adpative Session Redundancy (ASR) for stateful failover on a Cisco 11500 series CSS.

This chapter contains the following major sections:

Overview of CSS Redundancy

Configuring Adaptive Session Redundancy

Displaying ASR Information

Overview of CSS Redundancy

Redundancy helps to ensure:

High availability for your network appplications

Users do not experience long network delays or black holes due to a single point of failure.

A CSS provides three types of redundancy.

Virtual IP (VIP) redundancy and virtual interface redundancy - Provide redundant VIP addresses and redundant virtual interfaces for fate sharing and server default gateways. For details, refer to Chapter 6, Configuring VIP and Virtual Interface Redundancy.

Adaptive Session Redundancy (ASR) - Provides session-level redundancy (stateful failover) to continue active flows without interruption if the master CSS fails over to the baclup CSS. For details, see this chapter.

Box-to-box redundancy - Provides chassis-level redundancy between two identically configured CSSs. For details, refer to Chapter 8, Configuring Box-to-Box Redundancy.

The following sections provide information about when and when notto use the different types of redundancy.

When to Use VIP and Virtual Interface Redundancy

Typically, you configure VIP redundancy on the public side of CSS peers that are positioned in front of a server farm. You configure virtual interface redundancy on the private-side interfaces attached to the L2 device in front of the servers.

Configure VIP redundancy:

With virtual interface redundancy to provide fate sharing

When you have a common subnet between the two CSSs on which the VIPs reside

As a prerequisite to configuring ASR (requires active-backup VIP redundancy)

To provide active-active CSS behavior (both CSSs processing flows)

Configure interface redundancy:

With VIP redundancy to provide fate sharing

When you need a default gateway for the back-end servers

Instead of VIP redundancy on the client side of the CSS when the VIPs are on a subnet different from the subnet of your uplinks

When to Use ASR

ASR provides session-level redundancy for applications where active flows (including TCP and UDP) must continue without interruption, even if the master CSS fails over to the backup CSS.

Configure ASR:

If you require stateful failover for mission-critical applications (for example, enterprise applications, long-lived flows, such as HTTP or FTP file transfers, and e-commerce)

After you have first configured active-backup VIP and virtual interface redundancy

When to Use Box-to-Box Redundancy

Configure box-to-box redundancy when you:

Expect the behavior of the CSSs to be active/standby (only the master CSS processes flows)

Can configure a dedicated Fast Ethernet (FE) link between the CSSs for the VRRP heartbeat

Do not configure box-to-box redundancy when you:

Expect the behavior of the CSSs to be active-active (both CSSs processing flows). Use VIP redundancy instead.

Cannot configure a dedicated FE link between the CSSs.

Configuring Adaptive Session Redundancy

Configure Adaptive Session Redundancy (ASR) on Cisco 11500 series CSS peers in an active-backup VIP redundancy and virtual interface redundancy environment to provide stateful failover of existing flows. ASR ensures that, if the master CSS fails, the backup CSS has the necessary flow-state information to continue any active flows (including TCP and UDP) without interruption when the backup CSS assumes mastership. "Adaptive" means that you can configure ASR on a per content rule basis.

Use ASR for:

Mission-critical enterprise applications.

Long-lived flows such as FTP and HTTP file transfers.

E-commerce applications, such as online stock trading or banking where users must remain connected to a service for the duration of a transaction even if the master CSS fails.

In an ASR configuration, CSSs replicate flows that are:

Fully-resolved (the master CSS has received a SYN/ACK from a server)

Set up using content rules, services, and source groups that you specify as redundant


Note For implicit or explicit Layer 5 rules, where there is delayed binding, binding is not complete until the CSS processes the SYN/ACK from the server. If a failover occurs in the middle of a spanned content request, the master CSS will not receive the SYN/ACK from the server and the flow will not be replicated on the backup CSS. No data is lost and users can simply refresh their browsers to restart the connection.



Note During an FTP failover, the control channel and/or the data channel need to share information with the backup CSS. If the current state information has not been fully transferred across the ISC link to the backup CSS, then the flow may be lost.


This section includes the following topics:

Stateful Failover

Inter-Switch Communications

Redundant Indexes

Configuration Requirements and Restrictions

ASR Quick Start

Configuring Inter-Switch Communications

Configuring Redundant Services

Configuring Redundant Content Rules

Configuring Redundant Source Groups

Synchronizing ASR Configurations

Stateful Failover

Active flows that match a redundant content rule, service, or source group on the master CSS are replicated as dormant flows on the backup CSS peer. A dormant flow contains all the flow-state information necessary for the backup CSS to take over the flow if the master CSS fails, including the flow ID assigned by the session processor (SP) that created the flow. If the master CSS fails, the dormant flows on the backup CSS become active when the backup CSS assumes mastership of the VIP. In turn, the active flows on the former master CSS transition to a dormant state to fully back up the active flows on the new master CSS.

A master CSS maps a newly activated TCP flow after it receives the first packet for the flow. If it can resolve a single route back to the source address, a CSS attempts to map a UDP flow when it activates the flow. Otherwise, the CSS maps the UDP flow after it receives the first packet for the flow.

Inter-Switch Communications

In an ASR configuration, CSS peers share redundant flow-state information over a maximum of two private Inter-Switch Communications (ISC) links after booting. ISC is a messaging service used by CSSs to exchange flow-state information. Only one ISC link is active at a time. The other ISC link (if configured) remains in backup mode until needed.

To determine if an ISC link is up, a CSS uses a mechanism called LifeTick. LifeTick sends an asynchronous message that contains information about the selected path. If the CSS does not receive a LifeTick message within one second, the CSS considers the ISC link to be down. If a second link is configured, the CSS uses that link for ISC.

The ISC links use the Gigabit Ethernet ports or the Fast Ethernet ports on the CSS session processors (SPs) to send ISC messages containing the flow-state information. Once you configure the ISC ports, you cannot use those same ports for non-ISC traffic.


Note You must connect the ISC ports directly to the two CSSs. You cannot use L2 devices on the ISC links between the two CSSs. Also, the ISC links must be dedicated to passing only ISC traffic.


For new flows, CSSs exchange flow states in real time over the ISC links. For existing flows, CSSs exchange flow states at boot-up time and at VIP redundancy failover.

Redundant Indexes

ASR uses unique global redundant indexes to keep track of content rules, services, and source groups configured on the redundant CSS peers. Set up the redundant indexes in rules, services, and groups using the redundant-index command. You must then configure identical redundant content rules, services, and source groups on CSS peers in the ASR configuration.

Each redundant index that you configure on a rule, service, or group must be unique among all rules, services, or groups configured on a redundant pair of CSSs. For example, if you configure a rule with a redundant index of 1 on a pair of CSSs, you cannot configure an index of 1 on another rule. However, you could configure an index of 1 on a group or service if that value has not already been used on a group or a service.


Note If you run traffic to a configuration that contains discrepancies between the redundant indexes on the two CSSs, the CPU utilization for each processor on the CSS may climb to an abnormal level (at 2000 flows/second, approximately 50 percent utilization for each processor). If you set the logging level to notice-5 or higher, the SCM utilization may peak at approximately 90 percent because each connection generates a redundant index mismatch log entry. For example:
AUG 7 14:12:15 3/1 1124272 SLR-5: Rejected. Redundant global rule index (7) not found.


Configuration Requirements and Restrictions

The following requirements and restrictions apply to both CSS peers in an ASR configuration:

Configure VIP redundancy and virtual interface redundancy on both CSS peers. For details, refer to Chapter 6, Configuring VIP and Virtual Interface Redundancy.

Configure a redundant VIP in a redundant content rule or source group. In order to activate a redundant content rule or source group, you must associate the rule or group with a redundant VIP.

Ensure that VIP ranges specified in redundant content rules and source groups are the same as the VIPs associated with virtual routers for VIP redundancy. If the redundant content rule or source group VIPs are a superset, ASR is supported only for the VIPs that are associated with the virtual routers. For the remaining VIPs, the behavior is undefined when a failover occurs, because it is unclear whether those VIPs are mastered on the new master CSS or not.

You cannot configure VIP wildcard or double-wildcard caching rules because they do not require a VIP. For information on wildcard cache rules, refer to the Cisco Content Services Switch Basic Configuration Guide.

Configure ISC on both CSSs. This allows the CSSs to share flow-state information.

Configure a maximum of two ISC ports on a CSS. Multiple ports must reside on the same module in the CSS 11503 or CSS 11506 or on the same CSS 11501. Also, the ports must be of the same type (Gigabit Ethernet or Fast Ethernet) in both CSSs. Ensure that the ISC ports are not configured in any VLANs. If necessary, remove the designated ports from all VLANs before configuring ISC. For details on disabling an interface port from a VLAN, refer to the Content Services Switch Administration Guide.

You must connect the ISC ports directly to the two CSSs. You cannot use L2 devices on the ISC links between the two CSSs. Also, the ISC links must be dedicated to passing only ISC traffic.

If you configure any ISC ports on an SCM, you can have only one SCM installed in the CSS 11506.

The CSS 11501 does not support redundant GE Inter-Switch Communications links for ASR because the switch includes only a single GBIC port.

Ensure that any service configured with connection limits, marked as redundant, and used by at least one redundant content rule is used only by other content rules that are also redundant. If this is not true, there could be redundant and nonredundant flows connected to the service with connection limits. In case of a failover, no information is available for the nonredundant flows on the backup CSS. Until the server cleans up the nonredundant flow connections, they continue to contribute to the connection limit on the service without the backup CSS having any knowledge of how many such connections exist. Making all flows redundant by imposing the above restrictions eliminates this problem.

When you configure critical services, be sure to change the default keepalive settings to the following recommended settings for ASR. For example, enter:

service CriticalService
ip address 192.168.2.1 
keepalive frequency 2 
keepalive maxfailure 2 
keepalive retryperiod 2 
active


Note The above keepalive values are a recommended starting point. Some scripted keepalives may take longer than two seconds to run. You may need to adjust your keepalive values so that the CSS detects a failure before your application times out.


Configure as redundant any source groups that you specify in ACL clauses. It is helpful to configure ACLs similarly on the master and backup CSSs. This ensures that the CSSs can share the port-map state during flow setup time, and, at failover time, a CSS finds the same ACL and source group configured on the peer. Otherwise, when a flow fails over to the backup, it is possible that the flow may match on a different ACL clause that has no source group configured or a different source group (possibly a nonredundant one).

Source groups selected by ACL-checking always take precedence over other source group matches for a flow. Therefore, if the master and backup CSSs have different ACL definitions, when a flow fails over to the backup and the source group selected on the master is not found on the backup, the CSS rejects the flow. Also, if the flow matches on a different source group through an ACL, that source group takes precedence over the redundant source group that was sent from the master.

Configure as redundant any preferred service that you configured in an ACL clause.

Configure mutually exclusive port-map ranges on the redundant peers using the global-portmap command to avoid potential network port collisions. Keeping the port-map ranges mutually exclusive on the redundant peer also eliminates the need to dynamically update the global port-map database on the backup CSS. For more information on port mapping, refer to the Cisco Content Services Switch Administration Guide.

Do not configure ASR and stateless redundancy failover on the same CSS. Such a configuration is not supported. For details on stateless redundancy failover, refer to Chapter 8, Configuring Box-to-Box Redundancy, in the "Configuring Stateless Redundancy Failover" section.

ASR does not support NAT Peering. For details on NAT Peering, refer to the Content Services Switch Basic Configuration Guide.

ASR Quick Start

Table 7-1 provides a quick overview of the steps required to configure ASR for each CSS in the redundant configuration. Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI command, see the sections following Table 7-1.

Table 7-1 ASR Configuration Quick Start 

Task and Command Example

1. Enter config mode.

# config 
(config)#

2. Configure active/backup VIP and virtual interface redundancy. Refer to Chapter 6, Configuring VIP and Virtual Interface Redundancy earlier in this chapter.

3. Configure a maximum of two directly connected (no intervening L2 devices) ISC links on Gigabit Ethernet or Fast Ethernet ports between the two redundant CSSs. See "Configuring Inter-Switch Communications" later in this chapter.

(config)# interface 1/1
(config-if[ 1/1])# isc-port-one
(config)# interface 1/2
(config-if[ 1/2])# isc-port-two

4. Configure services that are targets of redundant content rules. For more information on services, refer to the Cisco Content Services Switch Basic Configuration Guide.

(config)# service server1
(config-service[server1])# ip address 192.168.100.100
(config-service[server1])# redundant-index 1
(config-service[server1])# active

5. Configure redundant content rules and add the redundant services. For more information on content rules, refer to the Cisco Content Services Switch Basic Configuration Guide.

(config)# owner arrowpoint
(config-owner[arrowpoint])# content rule1
(config-owner-content[arrowpoint-rule1]# vip address 192.168.1.1
(config-owner-content[arrowpoint-rule1]# protocol tcp
(config-owner-content[arrowpoint-rule1]# port 80
(config-owner-content[arrowpoint-rule1]# url "/redundant.html"
(config-owner-content[arrowpoint-rule1]# add service server1
(config-owner-content[arrowpoint-rule1]# redundant-index 5
(config-owner-content[arrowpoint-rule1]# active

6. Configure redundant source groups and add the redundant services. For more information on source groups, refer to the Cisco Content Services Switch Basic Configuration Guide.

(config)# group group1
(config-group[group1])# vip address 192.168.10.10
(config-group[group1])# add service server1
(config-group[group1])# redundant-index 4
(config-group[group1])# active

7. Configure global port mapping (port translation) with mutually exclusive port ranges on the CSS peers to avoid potential port collisions. For more information on CSS port mapping, refer to the Cisco Content Services Switch Administration Guide.

For example, on one CSS peer, enter:

(config)# global-portmap base-port 3000 range 30000

On the other CSS peer, enter:

(config)# global-portmap base-port 33100 range 30000

8. Configure the same redundant services, content rules, and source groups on the other CSS peer (synchronize the configurations).


Configuring Inter-Switch Communications

Inter-Switch Communications (ISC) is a messaging service that Cisco 11500 series CSS peers use to exchange flow-state information in an ASR configuration. If the master CSS fails, the backup CSS already has the flow-state information necessary to continue the current flows without interruption. Using ISC, CSSs exchange state information:

For existing flows at boot-up time and at VIP redundancy failover

For new flows in real time (after the CSS receives a SYN/ACK from the server)

Use the isc-port-one and isc-port-two commands in interface configuration mode to enable ISC between two Cisco 11500 series CSSs in an ASR configuration. You can configure a maximum of two ISC ports on each CSS. The two ports must be of the same type (Gigabit Ethernet or Fast Ethernet) and must be on the same module in the CSS 11503 or CSS 11506 or on the same CSS 11501.

The CSS 11501 does not support redundant GE Inter-Switch Communications links for ASR because the switch includes only a single GBIC port.

You must connect the ISC ports directly to the two CSSs. You cannot use L2 devices on the ISC links between the two CSSs. Also, the ISC links must be dedicated to passing only ISC traffic.

For example, to enable both ISC ports on a CSS 11506, enter:

(config)# interface 1/1
(config-IF[ 1/1])# isc-port-one
(config-IF[ 1/1])# interface 1/2
(config-IF[ 1/2])# isc-port-two

To disable both ISC ports on a CSS 11506, enter:

(config)# interface 1/1
(config-IF[ 1/1])# no isc-port-one
(config-IF[ 1/1])# interface 1/2
(config-IF[ 1/2])# no isc-port-two

Configuring Redundant Services

Use the redundant-index command to configure the global service index for a redundant service. A CSS uses the global service index to keep track of redundant services and associated flow-state information.

The syntax for this service configuration mode command is:

redundant-index index

The variable index is a unique number you assign to a redundant service. Enter a unique integer from 0 to 32767, where a value of 0 disables ASR for a service. The default is 0, but it does not appear in the running-config even if you configure it explicitly.

For example:

(config-service[server1])# redundant-index 5

To disable ASR for a service, enter:

(config-service[server1])# no redundant-index

Note If you issue the no redundant-index command on an active redundant service for live redundancy peers, the command automatically suspends the service. Flows already mapped by a CSS are not affected. However, if a failover occurs during the life of an active flow that matches on such a suspended service, the backup CSS cannot map the flow because it cannot find the service with the same global index as that on the original master.


For more information on configuring services, refer to the Cisco Content Services Switch Basic Configuration Guide.

Configuring Redundant Content Rules

Use the redundant-index command to configure the global content index for a redundant content rule. A CSS uses the global content index to keep track of redundant content rules and associated flow-state information.

The syntax for this content configuration mode command is:

redundant-index index

The variable index is a unique number you assign to a redundant content rule. Enter a unique integer from 0 to 32767, where a value of 0 disables ASR on a content rule. The default is 0, but it does not appear in the running-config even if you configure it explicitly.

For example:

(config-owner-content[arrowpoint-rule1]# redundant-index 1

To disable ASR on a content rule, enter:

(config-owner-content[arrowpoint-rule1]# no redundant-index


Note If you issue the no redundant-index command on an active redundant content rule for live redundancy peers, the command automatically suspends the content rule. Flows already mapped by a CSS are not affected. However, if a failover occurs during the life of an active flow that matches on such a suspended content rule, the backup CSS cannot map the flow because it cannot find the content rule with the same global index as that on the original master.


For more information on configuring content rules, refer to the Cisco Content Services Switch Basic Configuration Guide.

Configuring Redundant Source Groups

Use the redundant-index command to configure the global source group index for a redundant source group. A CSS uses the global source group index to keep track of redundant content rules and associated flow-state information.

The syntax for this group configuration mode command is:

redundant-index index

The variable index is a number you assign to a redundant source group. Enter a unique integer from 0 to 32767, where a value of 0 disables ASR for a source group. The default is 0, but it does not appear in the running-config even if you configure it explicitly.

For example, to enable ASR for a source group:

(config-group[group1])# redundant-index 4

To disable ASR for a source group, enter:

(config-group[group1])# no redundant-index


Note If you issue the no redundant-index command on an active redundant source group on live redundancy peers, the command automatically suspends the source group. Flows already mapped by a CSS are not affected. However, if a failover occurs during the life of an active flow that matches on such a suspended source group, the backup CSS cannot map the flow because it cannot find the source group with the same global index as that on the original master.


For more information on configuring source groups, refer to the Cisco Content Services Switch Basic Configuration Guide.

Synchronizing ASR Configurations

You must synchronize configurations on both CSS peers to ensure that the ASR-specific configurations on the master CSS and the backup CSS are the same. This is critical to the proper functioning of ASR.

For ASR, you must manually configure on each peer:

ISC

Redundant content rules

Redundant services

Redundant source groups

Displaying ASR Information

Use the commands described in the following sections to display information for:

Inter-Switch Communications

Dormant flows used for ASR

ASR status and global redundant indexes

Displaying Inter-Switch Communications Ports

Use the show isc-ports command to display the ports configured for ISC on a Cisco 11500 series CSS.

Table 7-2 describes the fields in the show isc-ports output.

Table 7-2 Field Descriptions for the show isc-ports Command 

Field
Description

Inter-Switch Communications Configuration

Lists the CSS ports (in slot/port format) configured for ISC port one and ISC port two. If ISC is not configured, the command displays the following messages: Inter-Switch Port One is not configured. Inter-Switch Port Two is not configured.

Inter-Switch Communications Status

Indicates whether ISC is Up or Down and, if Up, on which CSS port ISC is currently active.


Displaying Dormant Flow Information

Use the show dormant flows command to display information about the current dormant flows on the backup CSS in an ASR configuration. Dormant flows are flows on the backup CSS that become active if the master CSS fails and the backup CSS assumes mastership.

The syntax for this command is:

show dormant flows {source_address {destination_address}}

The optional variables for this command are:

source_address - Displays dormant flows for the specified source IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

destination_address - Displays dormant flows for the specified destination IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.11.1).

Table 7-3 describes the fields in the show dormant flows output.

Table 7-3 Field Descriptions for the show dormant flows Command 

Field
Description

Src Address

The source address for the flow.

SPort

The source port for the flow.

Dst Address

The destination address for the flow.

DPort

The destination port for the flow.

NAT Dst Address

The network address translation (NAT) destination address.

Prt In

Not applicable. A dormant flow does not have a port associated with it.

OutPort

Not applicable. A dormant flow does not have a port associated with it.


Use the flow statistics dormant command to display summary information about redundant dormant flows.

Table 7-4 describes the field in the flow statistics dormant output.

Table 7-4 Field Descriptions for the flow statistics dormant Command 

Field
Description

Total Dormant Flows

The total number of inactive redundant flows mapped on the backup CSS from active redundant flows on the master CSS. The dormant flows contain all the flow-state information necessary for the backup CSS to master the flows if the master CSS fails. If the master CSS fails, the backup CSS becomes the master CSS and the dormant flows become active flows.


Displaying ASR Information for Content Rules, Services, and Source Groups

The following sections describe how to display ASR information specific to content rules, services, and source groups.

Displaying ASR Status and Global Index Values

Use the show rule, show service, and show group commands to display information about ASR status and global redundant indexes. The relevant fields in the output of these commands are:

Session Redundancy - The state of ASR for the content rule, service, or source group. Possible values are: Enabled or Disabled

Redundancy Global Index - The unique global index value for ASR configured for the content rule, service, or source group using the redundant-index command.

For full details on the show rule, show service, and show group commands, refer to the Cisco Content Services Switch Basic Configuration Guide.

Displaying Summary ASR Information

Use the show session-redundant command to display summary ASR information about redundant content rules, services, and source groups.

The syntax for this global configuration mode command is:

show session-redundant [rule|service|group|all]

The optional keywords are:

rule - Displays summary ASR information for redundant content rules.

service - Displays summary ASR information for redundant services.

group - Displays summary ASR information for redundant source groups.

all - Displays summary ASR information for content rules, services, and source groups.

For example, to view summary ASR information for redundant content rules, enter:

(config)# show session-redundant rule

Table 7-5 describes the fields.

Table 7-5 Field Descriptions for the show session-redundant Command
 

Field
Description
Session Redundant Content Rules

Content Rule

The redundant content rule name.

Content Rule State

The current state of the redundant content rule. Possible states are: Active or Suspend.

VIP Address

The virtual IP address of the redundant content rule in dotted decimal notation.

Redundancy Global Index

The ASR global index configured for the redundant content rule.

Redundancy State

The state of the CSS peer: Master, Backup, or Suspend.

Rule Redundant Services 1

The name of the redundant service and its global index value configured on the rule.

Session Redundant Services

Service

The name of the redundant service.

Service State

The current state of the redundant service. Possible states are: Alive, Dying, or Down.

IP Address

The virtual IP address of the redundant service in dotted-decimal notation.

Redundancy Global Index

The ASR global index configured for the redundant service.

Session Redundant Source Groups

Source Group

The name of the redundant source group.

Source Group State

The current state of the redundant source group. Possible states are: Active or Suspend.

VIP Address

The virtual IP address of the redundant source group.

Redundancy Global Index

The ASR global index configured for the redundant source group.

Group Redundant Services

Source Services

The redundant source services configured in this redundant source group, their keepalive state, and global index. If no source services are configured in this source group, the value is NONE.

Destination Services

The redundant destination services configured in this redundant source group and their keepalive state. If no destination services are configured in this source group, the value is NONE.